Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirects, pop-ups, CPU usage 100%, and more


  • This topic is locked This topic is locked
10 replies to this topic

#1 Flustrated

Flustrated

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 27 November 2010 - 07:19 PM

My laptop seems to have several issues that I have been unsuccessful in getting rid of. When clicking on a link after doing a search, I'm redirected to another page. Pop-ups appear out of the blue saying "Congratulations, you're today's Walmart $1,000 winner" etc. Each time I run a full scan with Malwarebytes several infected objects are found which are quarrantined and removed, but they always seem to come back and sometimes, they bring more friends with them! Arrrgh. Sometimes while viewing a page the window changes to what looks like an old style windows look. I have been unable to get Windows updates. There appears to be something running that shows CPU usage at 100% and freezes my computer. Also, on start up Windows Installer pops up and tries to install something named AMRT and says the resource is not available. I end up closing this in the task manager. I am also getting a message that says something about Virtual Memory is low.

I followed the prep guide and will attach the logs for your review.

Thanks so much for any help you can offer.




DDS (Ver_10-11-26.01) - NTFSx86
Run by Owner at 19:47:12.01 on Fri 11/26/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22

============== Running Processes ===============

C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner.YOUR-CEA96F509F\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
uStart Page = hxxp://www.atlanticbb.net/
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277521497187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289533310435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AutorunsDisabled - Ati2evxx.dll
Notify: PFW - UmxWnp.Dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\g1v6mpkj.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
============= SERVICES / DRIVERS ===============

R? el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver
R? KmxAMVet;KmxAMVet
R? mfnpgae;mfnpgae
R? nosGetPlusHelper;getPlus® Helper 3004
R? UmxAgent;HIPS Event Manager
S? CAAMSvc;CAAMSvc
S? CAISafe;CAISafe
S? ccSchedulerSVC;CA Common Scheduler Service
S? HSFHWATI;HSFHWATI
S? KmxAgent;KmxAgent
S? KmxAMRT;KmxAMRT
S? KmxCfg;KmxCfg
S? KmxStart;KmxStart
S? McrdSvc;Media Center Extender Service
S? PSI;PSI
S? Secunia PSI Agent;Secunia PSI Agent
S? UmxCfg;HIPS Configuration Interpreter
S? UmxPol;HIPS Policy Manager

=============== Created Last 30 ================

2010-11-26 23:55:13 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Temp
2010-11-18 07:28:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-18 07:28:08 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-18 07:28:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 07:20:25 238059 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-11-18 07:20:25 238057 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-11-18 07:20:25 238016 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-11-18 07:20:25 238012 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-11-18 07:20:25 237984 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-11-18 07:20:25 237975 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-11-18 07:20:25 237970 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-11-18 07:20:25 237917 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-11-18 07:18:09 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Apple
2010-11-18 07:14:58 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Apple Computer
2010-11-18 07:08:02 25048 ------w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-18 07:08:02 140248 ------w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-11-18 06:37:16 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Secunia PSI
2010-11-18 06:36:21 -------- d-----w- c:\program files\Secunia
2010-11-18 03:09:04 -------- d-----w- c:\windows\system32\LogFiles
2010-11-18 03:03:19 35136 ----a-w- c:\program files\mozilla firefox\plugins\np_gp.dll
2010-11-16 03:05:27 130728 ----a-w- c:\windows\ofarocohuvilitac.dll
2010-11-16 03:04:53 36356 ---h--w- c:\windows\gdi32.exe
2010-11-16 03:04:14 1073565 ----a-w- c:\docume~1\owner~1.you\locals~1\applic~1\46256.exe
2010-11-16 03:03:53 0 ----a-w- c:\windows\system32\drivers\mfnpgae.sys
2010-11-16 03:03:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\jJnFi02043
2010-11-16 03:03:16 50688 ---ha-w- c:\windows\system32\javagman.dll
2010-11-16 03:03:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-10 17:49:36 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-10 17:49:36 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-10-29 02:28:54 95568 ----a-w- c:\windows\system32\vetredir.dll
2010-10-29 02:28:54 128336 ----a-w- c:\windows\system32\isafeif.dll
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 20:00:27.18 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 28 November 2010 - 01:37 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 Flustrated

Flustrated
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 28 November 2010 - 01:53 PM

New DDS and GMER logs

Thank you!



DDS (Ver_10-11-27.01) - NTFSx86
Run by Owner at 10:55:22.50 on Sun 11/28/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.115 [GMT -5:00]

AV: CA Anti-Virus Plus *On-access scanning enabled* (Outdated) {6B98D35F-BB76-41C0-876B-A50645ED099A}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\caamsvc.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus Plus\isafe.exe
C:\Program Files\CA\CA Internet Security Suite\ccschedulersvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Secunia\PSI\PSIA.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Secunia\PSI\psi_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Vhl.exe
C:\DOCUME~1\OWNER~1.YOU\LOCALS~1\Temp\Vhm.exe
C:\WINDOWS\Vzacub.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Documents and Settings\Owner.YOUR-CEA96F509F\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
uStart Page = hxxp://www.atlanticbb.net/
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=PTB&M=MX6441
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UO8KTAT1GY] c:\docume~1\owner~1.you\locals~1\temp\Vhl.exe
uRun: [6BTOP2GA8A] c:\windows\Vzacua.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [cctray] "c:\program files\ca\ca internet security suite\casc.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mExplorerRun: [THOH] c:\windows\system32\iyuv_32E.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\windows\system32\VetRedir.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277521497187
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289533310435
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: AutorunsDisabled - Ati2evxx.dll
Notify: PFW - UmxWnp.Dll
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.you\applic~1\mozilla\firefox\profiles\g1v6mpkj.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
============= SERVICES / DRIVERS ===============

R0 KmxAMRT;KmxAMRT;c:\windows\system32\drivers\KmxAMRT.sys [2010-9-17 135248]
R0 KmxStart;KmxStart;c:\windows\system32\drivers\KmxStart.sys [2010-5-3 108112]
R1 KmxAgent;KmxAgent;c:\windows\system32\drivers\KmxAgent.sys [2010-3-22 79864]
R2 CAAMSvc;CAAMSvc;c:\program files\ca\ca internet security suite\ca anti-virus plus\CAAMSvc.exe [2010-10-29 206152]
R2 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus plus\isafe.exe [2010-6-26 212992]
R2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe [2010-6-26 206160]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\secunia\psi\psia.exe [2010-11-9 838200]
R2 UmxCfg;HIPS Configuration Interpreter;c:\program files\ca\sharedcomponents\hipsengine\UmxCfg.exe [2010-8-24 740160]
R2 UmxPol;HIPS Policy Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxPol.exe [2010-9-17 301648]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2010-6-25 200576]
R3 KmxCfg;KmxCfg;c:\windows\system32\drivers\KmxCfg.sys [2010-6-9 244304]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [2010-9-1 15544]
S2 UmxAgent;HIPS Event Manager;c:\program files\ca\sharedcomponents\hipsengine\UmxAgent.exe [2009-8-4 887288]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [2010-6-25 69692]
S3 KmxAMVet;KmxAMVet;c:\windows\system32\drivers\KmxAMVet.sys [2009-3-27 598656]
S4 mfnpgae;mfnpgae;c:\windows\system32\drivers\mfnpgae.sys [2010-11-15 0]

=============== Created Last 30 ================

2010-11-28 15:49:03 176640 ----a-w- c:\windows\Vzacub.exe
2010-11-28 15:48:31 119808 --sha-r- c:\windows\system32\iyuv_32E.exe
2010-11-27 16:14:29 191488 ----a-w- c:\windows\Vzacua.exe
2010-11-27 16:14:07 230912 ----a-w- c:\windows\system32\sshnas21.dll
2010-11-27 16:13:50 -------- d-----w- c:\program files\win
2010-11-26 23:55:13 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Temp
2010-11-26 23:39:09 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-26 23:39:07 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-26 23:38:42 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-26 23:38:04 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-18 07:28:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-18 07:28:08 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2010-11-18 07:28:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 07:20:25 238059 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin6.dll
2010-11-18 07:20:25 238057 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin4.dll
2010-11-18 07:20:25 238016 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2010-11-18 07:20:25 238012 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin2.dll
2010-11-18 07:20:25 237984 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin7.dll
2010-11-18 07:20:25 237975 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin3.dll
2010-11-18 07:20:25 237970 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin.dll
2010-11-18 07:20:25 237917 ----a-w- c:\program files\mozilla firefox\plugins\npqtplugin5.dll
2010-11-18 07:18:09 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Apple
2010-11-18 07:14:58 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Apple Computer
2010-11-18 07:08:02 25048 ------w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2010-11-18 07:08:02 140248 ------w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2010-11-18 06:37:16 -------- d-----w- c:\docume~1\owner~1.you\locals~1\applic~1\Secunia PSI
2010-11-18 06:36:21 -------- d-----w- c:\program files\Secunia
2010-11-18 03:09:04 -------- d-----w- c:\windows\system32\LogFiles
2010-11-16 03:05:27 130728 ----a-w- c:\windows\ofarocohuvilitac.dll
2010-11-16 03:04:53 36356 ---h--w- c:\windows\gdi32.exe
2010-11-16 03:04:14 1073565 ----a-w- c:\docume~1\owner~1.you\locals~1\applic~1\46256.exe
2010-11-16 03:03:53 0 ----a-w- c:\windows\system32\drivers\mfnpgae.sys
2010-11-16 03:03:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\jJnFi02043
2010-11-16 03:03:16 50688 ---ha-w- c:\windows\system32\javagman.dll
2010-11-16 03:03:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-10 17:49:36 135568 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll
2010-11-10 17:49:36 135568 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2010-10-29 02:28:54 95568 ----a-w- c:\windows\system32\vetredir.dll
2010-10-29 02:28:54 128336 ----a-w- c:\windows\system32\isafeif.dll
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys

============= FINISH: 11:08:10.17 ===============

Attached Files



#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 28 November 2010 - 04:53 PM

Hello,

Thanks for the logs. Lets get cleaning up your machine.

1.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Flustrated

Flustrated
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 28 November 2010 - 08:44 PM

OK, here we go . ..

Downloaded and ran Rkill. Had to uninstall my A/V, CA Security to run ComboFix. Did not have Recovery Console installed, so let ComboFix install, however, had to access the internet to do so. I was never prompted to disconnect from the internet while ComboFix was running, so my computer remained online during the process. Once ComboFix finished the scan and produced the log my CPU was again at 100%. I disconnected from the internet and pulled up task manager and iyuv_32.exe was running. I ended the process and usage dropped to around 5 - 10%. Here is the ComboFix log.


ComboFix 10-11-28.01 - Owner 11/28/2010 19:36:59.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.446.110 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-CEA96F509F\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\fg.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\jje.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\ljgh.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\plk.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\qgace71_shrd
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\rty.txt
c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Bitrix Security\rvslnh
c:\documents and settings\Owner.YOUR-CEA96F509F\Local Settings\Application Data\46256.exe
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\Internet Explorer\IEXPLOREmgr.exe
c:\windows\gdi32.exe
c:\windows\system32\_004730_.tmp.dll
c:\windows\system32\_004731_.tmp.dll
c:\windows\system32\_004732_.tmp.dll
c:\windows\system32\_004733_.tmp.dll
c:\windows\system32\_004740_.tmp.dll
c:\windows\system32\_004741_.tmp.dll
c:\windows\system32\_004742_.tmp.dll
c:\windows\system32\_004743_.tmp.dll
c:\windows\system32\_004745_.tmp.dll
c:\windows\system32\_004746_.tmp.dll
c:\windows\system32\_004749_.tmp.dll
c:\windows\system32\_004750_.tmp.dll
c:\windows\system32\_004752_.tmp.dll
c:\windows\system32\_004753_.tmp.dll
c:\windows\system32\_004754_.tmp.dll
c:\windows\system32\_004756_.tmp.dll
c:\windows\system32\_004759_.tmp.dll
c:\windows\system32\_004760_.tmp.dll
c:\windows\system32\_004764_.tmp.dll
c:\windows\system32\_004765_.tmp.dll
c:\windows\system32\_004767_.tmp.dll
c:\windows\system32\_004770_.tmp.dll
c:\windows\system32\_004772_.tmp.dll
c:\windows\system32\_004773_.tmp.dll
c:\windows\system32\_004774_.tmp.dll
c:\windows\system32\_004775_.tmp.dll
c:\windows\system32\_004776_.tmp.dll
c:\windows\system32\_004779_.tmp.dll
c:\windows\system32\_004780_.tmp.dll
c:\windows\system32\_004781_.tmp.dll
c:\windows\system32\_004782_.tmp.dll
c:\windows\system32\_004783_.tmp.dll
c:\windows\system32\_004788_.tmp.dll
c:\windows\system32\_004790_.tmp.dll
c:\windows\system32\_004791_.tmp.dll
c:\windows\system32\sshnas21.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
c:\windows\Vzacua.exe
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-29 )))))))))))))))))))))))))))))))
.

2010-11-28 15:49 . 2010-11-28 15:48 176640 ----a-w- c:\windows\Vzacub.exe
2010-11-28 15:48 . 2010-11-28 15:48 119808 --sha-r- c:\windows\system32\iyuv_32E.exe
2010-11-27 16:13 . 2010-11-28 15:48 -------- d-----w- c:\program files\win
2010-11-26 23:55 . 2010-11-26 23:55 -------- d-----w- c:\documents and settings\Owner.YOUR-CEA96F509F\Local Settings\Application Data\Temp
2010-11-26 23:52 . 2010-11-26 23:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-11-26 23:39 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-11-26 23:39 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-11-26 23:38 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-11-26 23:38 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-11-18 07:28 . 2010-11-18 07:26 472808 ----a-w- c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
2010-11-18 07:28 . 2010-11-18 07:26 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-18 07:28 . 2010-11-18 07:26 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 07:20 . 2010-11-18 07:20 238059 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
2010-11-18 07:20 . 2010-11-18 07:20 238057 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
2010-11-18 07:20 . 2010-11-18 07:20 238016 ----a-w- c:\program files\Internet Explorer\PLUGINS\npqtplugin7.dll
2010-11-18 07:20 . 2010-11-18 07:20 238012 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
2010-11-18 07:20 . 2010-11-18 07:20 237984 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
2010-11-18 07:20 . 2010-11-18 07:20 237975 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
2010-11-18 07:20 . 2010-11-18 07:20 237970 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
2010-11-18 07:20 . 2010-11-18 07:20 237917 ----a-w- c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
2010-11-18 07:19 . 2010-11-18 07:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-11-18 07:18 . 2010-11-18 07:18 -------- d-----w- c:\program files\Common Files\Apple
2010-11-18 07:18 . 2010-11-18 07:18 -------- d-----w- c:\documents and settings\Owner.YOUR-CEA96F509F\Local Settings\Application Data\Apple
2010-11-18 07:17 . 2010-11-18 07:17 -------- d-----w- c:\program files\Apple Software Update
2010-11-18 07:17 . 2010-11-18 07:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-11-18 07:14 . 2010-11-18 07:14 -------- d-----w- c:\documents and settings\Owner.YOUR-CEA96F509F\Local Settings\Application Data\Apple Computer
2010-11-18 07:08 . 2010-10-27 06:10 140248 ------w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2010-11-18 07:08 . 2010-10-27 06:10 25048 ------w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2010-11-18 06:37 . 2010-11-18 06:37 -------- d-----w- c:\documents and settings\Owner.YOUR-CEA96F509F\Local Settings\Application Data\Secunia PSI
2010-11-18 06:36 . 2010-11-18 06:36 -------- d-----w- c:\program files\Secunia
2010-11-18 03:09 . 2010-11-18 03:09 -------- d-----w- c:\windows\system32\LogFiles
2010-11-16 03:05 . 2010-11-16 03:05 130728 ----a-w- c:\windows\ofarocohuvilitac.dll
2010-11-16 03:03 . 2010-11-17 05:00 0 ----a-w- c:\windows\system32\drivers\mfnpgae.sys
2010-11-16 03:03 . 2010-11-19 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\jJnFi02043
2010-11-16 03:03 . 2010-11-16 03:03 50688 ---ha-w- c:\windows\system32\javagman.dll
2010-11-16 03:03 . 2010-11-16 06:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2010-11-10 17:49 . 2010-11-10 17:49 135568 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-29 02:28 . 2010-06-26 05:07 95568 ----a-w- c:\windows\system32\vetredir.dll
2010-10-29 02:28 . 2010-06-26 05:07 128336 ----a-w- c:\windows\system32\isafeif.dll
2010-09-18 17:23 . 2010-06-26 02:31 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2010-06-26 02:31 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2010-06-26 02:31 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2010-06-26 02:31 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2010-06-26 02:35 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2010-06-26 02:31 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2010-06-26 02:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 16:17 . 2010-09-08 16:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17 . 2010-09-08 16:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2010-06-26 02:27 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-09-01 08:30 . 2010-09-01 08:30 15544 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2010-08-31 13:42 . 2010-07-16 23:40 1852800 ----a-w- c:\windows\system32\win32k.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 500156]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2010-11-10 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 932288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"THOH"="c:\windows\system32\iyuv_32E.exe" [2010-11-28 119808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [2010-11-9 290872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
2005-04-28 13:32 46080 ----a-w- c:\windows\system32\ati2evxx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 17:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-10-19 00:42 79448 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2005-04-29 04:05 422229 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 21:03 125528 ----a-w- c:\program files\Common Files\AOL\1277525858\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
2005-08-12 23:16 1121792 ----a-w- c:\program files\McAfee\SpamKiller\MSKDetct.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 500156 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 05:42 212992 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1277525858\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R2 Secunia PSI Agent;Secunia PSI Agent;c:\program files\Secunia\PSI\psia.exe [11/9/2010 8:24 AM 838200]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [6/25/2010 9:55 PM 200576]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 3:30 AM 15544]
S3 el575nd5;3Com Megahertz 10/100 LAN CardBus PC Card Driver;c:\windows\system32\drivers\el575ND5.sys [6/25/2010 9:51 PM 69692]
S4 mfnpgae;mfnpgae;c:\windows\system32\drivers\mfnpgae.sys [11/15/2010 10:03 PM 0]
.
Contents of the 'Scheduled Tasks' folder

2010-11-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-11-29 c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
- c:\windows\Vzacub.exe [2010-11-28 15:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.atlanticbb.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Mozilla\Firefox\Profiles\g1v6mpkj.default\
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-6BTOP2GA8A - c:\windows\Vzacua.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 20:07
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\documents and settings\Owner.YOUR-CEA96F509F\Start Menu\Programs\Startup\cwoiseqx.exe 75248 bytes executable
c:\documents and settings\Owner.YOUR-CEA96F509F\Start Menu\Programs\Startup\desktop.ini 84 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(876)
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(3916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\windows\eHome\ehRecvr.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\WLTRAY.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2010-11-28 20:12:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-29 01:12

Pre-Run: 18,744,958,976 bytes free
Post-Run: 26,850,996,224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - F6D5D21601C72FF245B443394DEEF237

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 28 November 2010 - 10:58 PM

Hello,

We got some of the infection, but some still remains.

1.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

c:\documents and settings\Owner.YOUR-CEA96F509F\Start Menu\Programs\Startup\desktop.ini

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/


2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Killall::

Rootkit::
c:\windows\ofarocohuvilitac.dll
c:\windows\system32\drivers\mfnpgae.sys

File::
c:\windows\Vzacub.exe
c:\windows\system32\iyuv_32E.exe
c:\windows\Tasks\{62C40AA6-4406-467a-A5A5-DFDF1B559B7A}.job
c:\documents and settings\Owner.YOUR-CEA96F509F\Start Menu\Programs\Startup\cwoiseqx.exe
c:\windows\ofarocohuvilitac.dll
c:\windows\system32\drivers\mfnpgae.sys

DDS::
uStart Page = hxxp://www.atlanticbb.net/

Firefoxx::
FF - ProfilePath - c:\documents and settings\Owner.YOUR-CEA96F509F\Application Data\Mozilla\Firefox\Profiles\g1v6mpkj.default\
FF - prefs.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=
FF - user.js: keyword.URL - hxxp://search.mywebstart.net/?sid=10101070100&s=

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiMalware]
"DisableMonitoring"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=-

Driver::
mfnpgae

Reglockdel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.

    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"


4.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

Things to include in your next reply::
Jotti results
Combofix.txt
Rku Unhooker log
MBRCheck log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 Flustrated

Flustrated
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 29 November 2010 - 09:10 PM

Good evenin' Fireman4it,

Didn't get very far. Was able to do the step to show hidden files, but when clicking on Joti and Virustotal got a page that said Internet Explorer cannot display the webpage each time I clicked on the links. Also got a Windows Security Alert that said To help protect your computer. Windows Firewall has blocked some features of this program and listed Internet Explorer as the program. The other message was that a trojan of some sort was detected, but I shut my computer down without clicking on anything. When restarting I get the Windows Security Alert and also have to go to task manager to shut down iyuv_32 as it puts my CPU usage up to 100%. I wasn't sure if I should proceed to the next steps without doing the Joti scan, so I will await your instructions as to how to proceed.

Thanks a bunch!

#8 Flustrated

Flustrated
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:07:59 AM

Posted 29 November 2010 - 09:49 PM

After posting tried to get to Jotti a couple more times and was finally able to get the page to display, but when browsing for the file c:\documents and settings\Owner.YOUR-CEA96F509F\Start Menu\Programs\Startup\desktop.ini - when I get to the startup file it appears to be empty. I went back and checked to make sure all the buttons were checked and unchecked for hidden folders that you listed and hit apply and ok again, but still nothing in the Startup file. However, there is a desktop.ini file in the Start Menu and another one in the Programs menu.

Thanks,

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 29 November 2010 - 10:26 PM

Hello,

Good job not proceeding if you have a problem. :thumbup2: In this case it is no big deal. Go ahead and skip the Jotti step for now and proceed with the other steps.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 01 December 2010 - 11:08 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:59 AM

Posted 04 December 2010 - 06:30 PM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users